The Major Flaw of Pen-Testing
The company I work for recently sent out an email letting everyone know that an outside security firm would be attempting to gain unauthorized access to company tools and resources from both inside and outside of the company's infrastructure. It also stated that this was part of a yearly security audit being done by the company. The only problem that I have with that is that I found a bunch of potential security flaws just a few months ago from my home that I then brought to the attention of my superiors. I guess the penetration tests didn't do too well last year...
Anyway, this whole process got me to thinking. Many companies and organizations will either hire outside consultant groups or use internal IT/security staff to run these penetration tests. I do believe that proper security and network penetration testing is important to protecting a company's assets. However, it shouldn't be the only method of network security.
First, many companies have a flawed password policy. Luckily, the company I work for is pretty strict on that, but many companies are not. If a company doesn't have users changing their passwords on a regular basis, making sure that the same passwords aren't being used for multiple company tools and resources, and ensuring that the password policy forces upper and lower case, numbers, and special characters, there are potentials for problems right there.
However, this is not the major drawback to pen-testing. The biggest drawback to standard pen-testing is that it doesn't test the weakest possible link in the network. The link I speak of is the guaranteed failure point of any network, without any exception. In fact, you could say that it is the most critical element in the network security chain. The element I speak of is the group of people who are using the network on a day to day basis, the employees.
While most companies have strict policies and procedures when it comes to revealing information over company phones to non-authorized people, these policies are not often put to the test. Chances are that someone who is sufficiently skilled at social engineering could easily discover what buttons need to be pushed and when in order to get the exact information they are looking for.
Many times, transfers and/or exchanges between multiple departments can be a very weak link. One group either doesn't document calls or interactions very well - or at all - and, even if they do, the other group either doesn't have access to or usually doesn't check the history in existing ticketing systems used by most IT and customer service groups. Basically put, if someone is trying to get information on an account, individual, or network, they can usually get part of the information they need from one department and use that to get what they want from another. Perhaps, if documentation was better and the second group checked up on things, they would suspect something.
This is just one of the many examples of how social engineering could get access to privileged information. There are many more, and I am sure if you look at information from various magazines such as 2600 and audio and videos from various cons around the world, you can find many more.
My goal here is not a primer on social engineering. My goal is to point out something that should be obvious. Companies should be running regular internal security checks against their employees and be giving constant feedback to ensure that people know how to properly handle secure information. This especially holds true for customer service and technical support groups, which generally face the end user and public at large.
In my current job, I have seen plenty of cases where someone calls in stating that their account has been compromised. When checking the history in our system, I find that existing security policy wasn't followed, simply because the person on the other end of the line was irate, pushy, and threatening to contact the corporate office. The representative was overwhelmed and caved.
Again, regular network penetration testing can provide valuable feedback to IT and security professionals that is essential to creating a secure network environment. I am not trying to downplay that. However, network security is only going to be as good as the people using the network.
I don't know of any security consultant groups that perform social engineering audits, and if there are groups out there, they probably charge a pretty penny to get that service. My suggestion would be that companies use senior members of their own teams to test other employees. This way, they already have an idea of which buttons to push, and where the flaws in the system might be. All that would need to be done is to prove that to the right people in order to increase training and awareness on existing policies, and to create new ones to fill in the gaps. Not to mention that because these people are already employed by the company in question, it would save them the costs of hiring someone from the outside.
In closing, I just want to say that pen-testing is great. It can be tedious, exciting, challenging, fun, and everything in between. It can be a great resource to many organizations looking to improve their network security. All that being said, companies should also place a significant emphasis on educating and policing their own. When these two things are coupled together - both network and social engineering pen-testing - one can begin to build a very solid security policy, starting with and strengthening the weakest link, the employees.